Skip to main content

Home Depot settles breach suit, will pay $19m

by Paul Roberts on Friday August 6, 2021

Contact Us
Free Demo
Chat

Less than two years after it disclosed a massive breach of its payment system, Home Depot agreed to pay out more than $19 million to settle a class action suit, citing a need to ‘move on.’

Home Depot is 'moving on' from its widely publicized 2014 data breach.

Reuters reported on Tuesday that Home Depot had filed papers in federal court in Atlanta indicating that the company has agreed to pay $13 million to compensate consumers affected in the 2014 breach. An additional $6.5 million was set aside to pay for 18 months of identity protection services for cardholders.

In September 2014, Home Depot acknowledged that information on as many as 56 million credit cards was exposed in a sustained breach of the company that stretched from April 2014 to September of that year.

Subsequent reporting pointed to a pattern of lax security practices at the home improvement giant. Reporting by Nicole Perlroth in The New York Times quoted former employees saying that Home Depot gave short shrift to security: relying on outdated antivirus software by Symantec and infrequently running vulnerability and malicious software scans on point of sale and other systems responsible for handling customer transactions. (I wrote about this here.)

The $13 million in payments for victims amounts to $.23 per lost record.

Prior to settling, Home Depot had sought to have the class action suit dismissed altogether. In September 2015, the company filed a motion in federal court in Atlanta to have the class action suit dismissed. It’s argument: the consumers behind the class action suit cannot prove they were damaged by the breach.

"All of the claims alleged in the complaint suffer from the same fatal defect found in the vast majority of other breach cases ... they have suffered no actual or imminent economic injury that is fairly traceable to Home Depot's alleged conduct," the company says in its filing, according to a report in the Atlanta Business Chronicle.

That argument didn’t meet with much success in court in Atlanta, apparently. In statements on Tuesday, Home Depot spokesman Stephen Holmes said the company wanted to “put the litigation behind us.” “This was the most expeditious path,” Holmes said.

A hearing to approve the final settlement is scheduled for August 12th, 2016 in Atlanta.

Home Depot’s settlement is in line with other recent breaches at retailers. Target Stores, for example agreed to pay $10 million to make consumers whole after its breach.

However: still pending are lawsuits brought by credit card companies and banks who suffered damage from fraud related to the incident. In Target’s case: those suits were more costly. The company agreed in August to pay $67 million to Visa over the data hack. In December, it reached an agreement to pay another $39 million to banks that service Mastercard.

Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.

Tags:  Data Breaches

Recommended Resources


The Definitive Guide to DLP

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives

The Definitive Guide to Data Classification

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business